Skip to content →

Swamped by W32.Mytob.EH@mm

Oh the joys of running webservers and being the admin contact for _many_ domains. I’ve been receiving tons of spam generated by the W32.Mytob.EH@mm worm. We’re talking 10 or 20 a day. Plus I’ve been receiving tons more bounce messages, and a few aggravated “abuse” report emails from aggravated netizens, who’ve received spams where my addresses have been faked in the “From:” field.

(No, I’m not infected – these mails are being generated by other people’s computers. The worm trawls the infected computer’s address book and files, looking for domains names.)

Symantec has a brilliant, detailed description about W32.Mytob.EH@mm. It’s really a textbook case on how to write such a worm:

  • Execute’s itself as a windows-looking exe
  • Is pre-programmed with the directory locations most likely to contain email addresses: minimising disk activity and therefore human-detection
  • Parses email addresses so that just the domain is captured – allowing multiple messages to be sent to different addresses at the same domain
  • Avoids sending emails to admin-looking addresses (to reduce the chances of someone techie receiving the mail + knowing what to do with it), and to various educational establishments
  • Takes the list of domains and attempts to connect to each domain’s SMTP server to see if it’s an open-relay. When it does locate a venerable SMTP server, the worm masquerades to look like the host computer is from that domain too, to make detection harder.
  • Uses the lessons learnt from phishing to creates various different emails that incite the user to open the attachment – the body of the emails looks like it’s come from the administrator or helpdesk of the domain, informing them that their account has been suspended, etc
  • Includes the worm as an attached payload for replication
  • Connects to an IRC channel to enable zombie control (distributed denial of service, execute local files, etc)
  • Blocks access to security-related websites such as Symantec by altering the hosts file to point to localhost
  • Attemps to crash antivirus applications so that they cannot detect the worm

It’s a pretty nasty one. Please keep your virus definition files up to date. (You do have an anti-virus application installed, don’t you?)

Published in Thoughts and Rants